ico. 


Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Qi Does the draft guidance cover the relevant issues about the right 
of access? 

X Yes 

[1 No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


X Yes 
O No 
O Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


X Yes 
Q No 
Q Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining 'manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Please see comments in Q8 regarding the application of the manifestly unfounded and 
excessive request provisions to bulk requests received via third parties. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


BGL receives regular rights requests from consumers and is of the view that the proposed guidance 
provides clear and useful information on the ICO’s expectations in how such requests should be dealt 
with. BGL would however like to submit some feedback in relation to the areas of the proposed 
guidance dealing with requests via third party online portals and bulk requests. Please see question 8 


for details. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 


disagree disagree 
O O O O 


Q8 


Please provide any further comments or suggestions you may have about the draft 
guidance. 
BGL would like to submit the following comments in relation to the areas of the proposed guidance 


dealing with requests via third party online portals and bulk requests. 


Do we have to respond to requests made via a third party online portal? 


BGL would like to highlight the challenges faced in dealing with bulk rights requests via third party 
companies. These are typically companies that advertise themselves to consumers as being able to 
allow consumers to make multiple access rights requests, often alongside deletion and objection 
requests. The services are regularly positioned as allowing customers access to all their data and in 
some cases misleadingly give the impression that the companies have signed up to the third party 
service when this is not the case or give the impression that the company is obliged to respond via the 


third party online portal when this is not the case. 


BGL has in the past contacted the ICO with its concerns regarding the practices of such companies 
who try to force companies to agree to terms and conditions to sign up to services in order to be able 
to view a SAR request allegedly made by one of their customers. In one case, the terms and 
conditions required the company to agree to the possibility of paying fees in the future and there were 


no assurances regarding the security of such services. 


The clarification in the draft guidance that companies are not required to pay a fee or sign up to a 
service in order to receive a SAR is helpful and BGL would submit that this is an important clarification 


that should remain in the guidance. 


BGL also remain concemed that these companies are still misleading consumers into believing that a 
valid SAR request has been made on their behalf which could lead to unnecessary complaints being 
made by consumers when they do not receive a response to their request. We would suggest that the 
guidance should also address the ICO’s expectations in terms of how such third party companies 
promote their services to consumers and what information they give to consumers regarding the 
validity of the request they make on their behalf, for example, making clear the exemptions that may 
apply to their request or making it clear that the company may need to contact them directly regarding 


the request. 


Q8 


Q9 


Q10 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


How should we deal with bulk requests? 


Although BGL agrees that an individual request within a bulk request should be considered on its 
individual merits, further clarification as to a Data Controller's obligations in these circumstances would 


be helpful. Specifically, the third bullet point under this section states that:- 


“If a request is made by a third party on behalf of an individual, the behaviour of the third party should 


not be taken into account in determining whether a request is manifestly unfounded or excessive.” 


Where a third party is acting on behalf of an individual in making the request, the behaviour of the third 
party is likely to be extremely relevant. For example, if the third party is making repeated requests for 
the same data or making unreasonable demands in relation to the request, BGL would submit that this 
behaviour should not be disregarded. If such behaviour by the data subject would have meant the 
request could be deemed manifestly unfounded or excessive, then the same behaviour by a third party 
acting on the data subjects behalf should be treated in the same way. The current wording in this 
section of the guidance would leave it open for third parties to argue that the request could never be 


deemed unfounded or excessive, notwithstanding how reasonable their behaviour. 


Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

On behalf of an organisation 

O Other 


Please specify the name of your organisation: 
BGL Group Limited 
What sector are you from: 


Financial Services 


How did you find out about this survey? 


O ICO Twitter account 
'X ICO Facebook account 


ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


C 0 ENE E en E a E 


Thank you for taking the time to complete the survey. 


